Example: Transport Security (SSL)

Securing the Example Service Application (SSL)

The following example application starts with the example provided in Chapter 5, WSIT Example Using a Web Container and NetBeans, and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of Transport Security (SSL) is used to secure the application. To add security to the service part of the example, follow these steps:

  1. Optionally, before starting GlassFish, turn on the GlassFish HTTP dump options to verify that security is working as you expect. To do this, open the file <GLASSFISH_HOME>/domains/domain1/config/domain.xml and add the following lines to the jvm-options section:
    <jvm-options>-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true</jvm-options>
    <jvm-options>-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
    </jvm-options>
  2. Create the CalculatorApplication example by following the steps described in Chapter 5, WSIT Example Using a Web Container and NetBeans. Skip the section on adding Reliable Messaging.
  3. Expand CalculatorApplicationRight ArrowWeb Services, then right-click the node for the web service, Calculator, and select Edit Web Service Attributes.
  4. Unselect Reliable Messaging if it is selected.
  5. In the CalculatorPortBinding section, select Secure Service.
  6. From the drop-down list for Security Mechanism, select Transport Security (SSL).
  7. Click OK to close the WSIT Configuration dialog.
  8. To require the service to use the HTTPS protocol, you have to specify the security requirements in the service's application deployment descriptor, which is web.xml for a web service implemented as a servlet. To specify the security information, follow these steps:
    1. From your web service application expand Web PagesRight ArrowWEB-INF.
    2. Double-click web.xml to open it in the editor.
    3. Select the Security tab.
    4. On the Security Constraints line, click Add Security Constraint.
    5. Under Web Resource Collection, click Add.
    6. Enter a Name for the Resource, CalcWebResource. Enter the URL Pattern to be protected, /*. Select which HTTP Methods to protect, for example, POST. Click OK to close this dialog.
    7. Check the Enable User Data Constraint box. Select CONFIDENTIAL as the Transport Guarantee to specify that the application uses SSL because the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
    8. You can click the XML tab to view the resulting deployment descriptor changes.
  9. Right-click the CalculatorApplication node and select Run Project. This step compiles the application and deploys it onto GlassFish. The server will present its certificate, s1as. Accept this certificate. A browser will open and display the WSDL file for the application.
  10. Follow the steps to secure the client application as described in the next section.

Securing the Example Web Service Client Application (SSL)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in Transport Security (SSL).

To add security to the client that references this web service, complete the following steps:

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service, with the exception that you need to specify the secure WSDL when creating the Web Service Client. To do this, create the client application up to the step where you create the Servlet (step 7 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service, with the following exception:
    1. In the step where you are directed to cut and paste the URL of the web service that you want the client to consume into the WSDL URL field, enter https://localhost:8181/CalculatorApplication/CalculatorService?wsdl to indicate that this client should reference the web service using the secure port. The first time you access this service, accept the certificate (s1as) when you are prompted. This is the server certificate popping up to confirm its identity to the client.
    2. Continue creating the client following the remainder of the instructions in Creating a Client to Consume a WSIT-Enabled Web Service.
  2. Compile and run this application by right-clicking on the CalculatorServletClient node and selecting Run Project.

If you turned on the GlassFish HTTP dump options, you can view the server log at <GLASSFISH_HOME>/domains/domain1/logs/server.log to see verify that security was implemented as you expected.